How to handle a domain with an unknown SID value

Andreas Schneider anschneider at suse.de
Thu Oct 11 16:42:44 GMT 2007 

Hi,

I found the following problem in Samba, that a domain with a wrong SID was
added to the list of trusted domains. After ~10 minutes the SID is resolved
again with the right value.

[2007/10/08 17:10:17, 2] nsswitch/winbindd_util.c:add_trusted_domain(177)
  Added domain CYNSRV cyn S-1-5-21-2036336539-28840620-1559891442
[2007/10/08 17:10:17, 0] lib/util_sid.c:string_to_sid(242)
  string_to_sid: Sid S-0-0 is not in a valid format.
[2007/10/08 17:10:17, 2] nsswitch/winbindd_util.c:add_trusted_domain(177)
  Added domain POPULATION population.nue.cyn S-1-0-0
[2007/10/08 17:10:17, 0] lib/util_sid.c:string_to_sid(242)
  string_to_sid: Sid S-0-0 is not in a valid format.

The 'Null SID' (S-1-0-0) indicates that we have a group with no members. This
is often used when a SID value is not known [1].

I've looked at the code (SAMBA_3_0_26):

source/nsswitch/winbindd_util.c
static void trustdom_recv(void *private_data, BOOL success)

if (!string_to_sid(&sid, sidstr)) {
  /* Allow NULL sid for sibling domains */
  if ( strcmp(sidstr,"S-0-0") == 0) {
    sid_copy( &sid, &global_sid_NULL);
  } else {
    DEBUG(0, ("Got invalid trustdom response\n"));
    break;
  }
}

Jerry: What does this code exactly?


I think we hit the S-0-0 case from the log above with this code, but when we
add the domain

source/nsswitch/winbindd_util.c
static struct winbindd_domain *add_trusted_domain(const char *domain_name, ...

to the list of trusted domains. The domain->sid for the POPULATION domain is
S-1-0-0 here.

A possible fix would be not to add the domain to the list of trusted domains.
I've attached the patch which checks if the domain->sid is "S-1-0-0" and
returns NULL.

Is this the right way to try to solve this problem?


Thanks,


	-- andreas


[1] http://msdn2.microsoft.com/en-us/library/aa379649.aspx

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winbind_unkown_domain.patch
Type: text/x-patch
Size: 677 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20071011/52100c4a/winbind_unkown_domain.bin

More information about the samba-technical mailing list